Project

General

Profile

Multi-cluster user database » History » Version 8

Tom Clegg, 07/25/2019 08:55 PM

1 1 Tom Clegg
h1. Multi-cluster user database
2
3
It is sometimes desirable to share a single user database across multiple Arvados clusters. For example:
4 6 Tom Clegg
* Clusters aaaaa, bbbbb, ccccc, ddddd, eeeee are on different continents, but they use the same upstream authentication providers (ldap/google).
5
* A down/unreachable cluster should not prevent any user from using _other_ clusters in the group -- even if the down/unreachable cluster is the one where the user's account was initially created.
6 1 Tom Clegg
7 6 Tom Clegg
This requires some changes to login and token validation. (Currently, any given user account has a single "home cluster" that can issue or validate tokens for it.)
8 1 Tom Clegg
9 6 Tom Clegg
h2. Logging in
10 1 Tom Clegg
11 6 Tom Clegg
Each user should be able to log in to their account using any cluster, regardless of where/whether they have logged in previously.
12 1 Tom Clegg
13 8 Tom Clegg
To achieve this (without depending real-time communication between clusters) the participating clusters need to agree on a mapping of upstream authentication results to Arvados user UUIDs. For example, if the upstream authentication result is @"ldap://ldap.example foo@bar.example"@ ("ldap://ldap.example assures us this user is foo@bar.example"):
14
# Generate a UUID "eeeee-tpzed-${sha1part(upstream)}" (where eeeee is a common prefix used by all participating clusters and sha1part() is the first 15 chars of base-36-encoded sha1())
15
# If it doesn't already exist, add a row to the users table with this UUID
16
# If another row exists in the users table with the same upstream (or same identity_url) but a different UUID, [offer to] merge the old account's data/objects/permissions into the new account (it isn't possible to log into the old account any more, but we know it belongs to the same person as the new account).
17 1 Tom Clegg
18 8 Tom Clegg
Notes
19
* the "upstream" field is similar to identity_url as initially conceived. Since #4601, identity_url has been an opaque SSO-generated UUID, with no info about upstream -- so we will rely on it to detect "same upstream as old account that needs to be migrated" but we can't use it to generate the same user UUID as other clusters, hence the need for a new "upstream" field
20
* "remote" accounts (the kind that we already have in the users table with foreign UUIDs) have a null identity_url field, and will also have a null upstream field
21 2 Tom Clegg
22 8 Tom Clegg
|uuid                        |upstream                            |identity_url                |significance               |
23
|eeeee-tpzed-012340123401234 |ldap://ldap.example foo@bar.example |login-tpzed-aaaaaaaaaaaaaaa |Newly created user account |
24
|aaaaa-tpzed-aaaaaaaaaaaaaaa |NULL                                |login-tpzed-aaaaaaaaaaaaaaa |Old user account (can't log in to this any more - contents should be migrated to eeeee-*) |
25
|ooooo-tpzed-ooooooooooooooo |NULL                                |NULL                        |Remote user from cluster ooooo (not part of our multi-cluster group) |
26 1 Tom Clegg
27 4 Tom Clegg
h2. Configuration
28 2 Tom Clegg
29
Each cluster needs to know
30
* the uuid prefix to use when creating a new account, e.g., "eeeee"
31 4 Tom Clegg
* additional user uuid prefixes that remote clusters are trusted to validate
32 3 Tom Clegg
33 2 Tom Clegg
<pre><code class="yaml">
34
Clusters:
35 6 Tom Clegg
  aaaaa:
36
    Login:
37 1 Tom Clegg
      AssignUUIDPrefix: eeeee
38
    RemoteClusters:
39
      bbbbb:
40
        Proxy: true
41
        Authenticate:
42
          bbbbb: {} # (implied)
43
          eeeee: {} # accept tokens issued by bbbbb for users with uuid eeeee-*
44
</code></pre>
45
46
Example: aaaaa needs to validate a token issued by bbbbb.
47
* Do a callback to bbbbb (or check JWT signature) to confirm bbbbb really issued this token and get the relevant user UUID (result: yes, user uuid is eeeee-tpzed-012340123401234)
48
* If config Clusters.aaaaa.RemoteClusters.bbbbb.Authenticate.eeeee is present, accept the token
49
* Otherwise, fetch eeeee's config; if RemoteClusters.bbbbb.Authenticate.eeeee is present, accept the token
50
* Otherwise, reject the token
51 4 Tom Clegg
52 1 Tom Clegg
h2. Validating tokens
53 8 Tom Clegg
54
(...even when the issuing cluster is unreachable)
55 6 Tom Clegg
56
Each cluster should be able to validate a token that was issued by a different, currently unreachable, cluster. This contrasts with the current setup, where aaaaa validates tokens issued by bbbbb by doing a callback to bbbbb.
57
58 7 Tom Morris
This seems easy enough: instead of random strings, tokens can be [like] "JSON Web Tokens":https://jwt.io/, signed by a private key whose public part is known by all clusters. (This would also be more efficient than callbacks, benefiting the mutually-untrusted cluster scenario too.)